[{"data":1,"prerenderedAt":720},["ShallowReactive",2],{"/en-us/blog/guide-to-fulfilling-soc-2-security-requirements-with-gitlab/":3,"navigation-en-us":38,"banner-en-us":466,"footer-en-us":483,"Fernando Diaz":692,"next-steps-en-us":705},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"seo":8,"content":16,"config":27,"_id":31,"_type":32,"title":33,"_source":34,"_file":35,"_stem":36,"_extension":37},"/en-us/blog/guide-to-fulfilling-soc-2-security-requirements-with-gitlab","blog",false,"",{"title":9,"description":10,"ogTitle":9,"ogDescription":10,"noIndex":6,"ogImage":11,"ogUrl":12,"ogSiteName":13,"ogType":14,"canonicalUrls":12,"schema":15},"Guide to fulfilling SOC 2 security requirements with GitLab","Understand the application security features in the GitLab DevSecOps platform that map to System and Organization Controls 2 requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099576/Blog/Hero%20Images/Blog/Hero%20Images/AdobeStock_1172300481_IGPi3TS4VzFgcqhvEdBlR_1750099575518.jpg","https://about.gitlab.com/blog/guide-to-fulfilling-soc-2-security-requirements-with-gitlab","https://about.gitlab.com","article","\n                        {\n        \"@context\": \"https://schema.org\",\n        \"@type\": \"Article\",\n        \"headline\": \"Guide to fulfilling SOC 2 security requirements with GitLab\",\n        \"author\": [{\"@type\":\"Person\",\"name\":\"Fernando Diaz\"}],\n        \"datePublished\": \"2025-01-22\",\n      }",{"title":9,"description":10,"authors":17,"heroImage":11,"date":19,"body":20,"category":21,"tags":22},[18],"Fernando Diaz","2025-01-22","For businesses that handle sensitive customer information, achieving SOC 2\n(System and Organization Controls 2) compliance is not just a good practice\n— it's often a necessity. SOC 2 is a rigorous auditing standard developed by\nthe American Institute of Certified Public Accountants that assesses a\nservice organization's controls related to security, availability,\nprocessing integrity, confidentiality, and privacy.\n\n\nWhile SOC 2 is not legally mandated, it has become increasingly important,\nin part due to breaches consistently seen in news headlines. Obtaining SOC 2\ncompliance allows customers to build trust with service organizations\nbecause they know their data is being properly stored and security controls\nhave been assessed by a third party.\n\n\nIn this guide, we'll review the requirements for obtaining SOC 2 compliance\nand how GitLab can help your organization meet the highest standards for\napplication security.\n\n\n## What requirements are set by SOC 2\n\n\nThe compliance process involves an audit by an independent auditor who\nevaluates the design and operating effectiveness of an organization's\ncontrols. This process can be very costly, and many organizations are not\nsufficiently prepared before an audit. With the SOC 2 audit process\ntypically taking close to a year, it is important to establish an efficient\npre-audit process.\n\n\nTo obtain SOC 2 compliance, an organization must meet requirements based on\nthe Trust Services Criteria:\n\n\n| Criteria | Requirements |\n\n| :---- | :---- |\n\n| Security | - Implement controls to protect against unauthorized access\n\u003Cbr> - Establish procedures for identifying and mitigating risks\u003Cbr> - Set\nup systems for detecting and addressing security incidents |\n\n| Availability | - Ensure systems are accessible for operation as agreed\u003Cbr>\n- Monitor current usage and capacity \u003Cbr> - Identify and address\nenvironmental threats that could affect system availability |\n\n| Process integrity | - Maintain accurate records of system inputs and\noutputs \u003Cbr> - Implement procedures to quickly identify and correct system\nerrors \u003Cbr> - Define processing activities to ensure products and services\nmeet specifications |\n\n| Confidentiality | - Identify and protect confidential information \u003Cbr> -\nEstablish policies for data retention periods \u003Cbr> - Implement secure\nmethods for destroying confidential data after retention periods expire |\n\n| Privacy | - Obtain consent before collecting sensitive personal\ninformation \u003Cbr> - Communicate privacy policies clearly and in plain\nlanguage \u003Cbr> - Collect data only through legal means and from reliable\nsources |\n\n\u003Cbr>\n\n\nNote that these requirements are not one-time achievements, but rather a\ncontinuous process. Auditors will require control effectiveness over time.\n\n\n## How to achieve and maintain the security requirements\n\n\nGitLab provides several features off the board to get you started with\nassuring SOC 2 security needs are met:\n\n\n| Security Requirement | Addressing Feature |\n\n| :---- | :---- |\n\n| Implement controls to protect against unauthorized access | - Confidential\nIssues and Merge Requests \u003Cbr> - Custom Roles and Granular Permissions \u003Cbr>\n- Security Policies \u003Cbr> - Verified Commit \u003Cbr> - Signed Container Images\n\u003Cbr> - CodeOwners \u003Cbr> - Protected Branches |\n\n| Set up systems for detecting and addressing security incidents | -\nVulnerability Scanning \u003Cbr> - Merge Request Security Widget \u003Cbr> -\nVulnerability Insights Compliance Center \u003Cbr> - Audit Events \u003Cbr> -\nVulnerability Report Dependency List \u003Cbr> - AI: Vulnerability Explanation\n\u003Cbr> - AI: Vulnerability Resolution |\n\n| Establish procedures for identifying and mitigating risks | All the above\ntools can be used by a security team to establish a procedure around what to\ndo when security vulnerabilities are identified and how they are mitigated.\n|\n\n\u003Cbr>\n\nLet’s go through each section and highlight the security features that\naddress these requirements. Note that a [GitLab Ultimate\nsubscription](https://about.gitlab.com/free-trial/) and the correct Role and\nPermissions are required to access many of the features listed. Be sure to\ncheck out the appropriate documentation for more information.\n\n\n## Implement controls to protect against unauthorized access\n\n\nImplementing robust access controls is essential for protecting an\norganization's assets, ensuring regulatory compliance, maintaining\noperational continuity, and fostering trust. GitLab allows you to implement\ncontrols to follow the [principle of least\nprivilege](https://about.gitlab.com/blog/the-ultimate-guide-to-least-privilege-access-with-gitlab/),\nsecuring against unauthorized access. I will briefly cover:\n\n\n* [Security policies](#security-policies)  \n\n* [Custom roles and granular\npermissions](#custom-roles-and-granular-permissions)  \n\n* [Branch protections and CodeOwners](#branch-protections-and-codeowners)  \n\n* [Verified commits](#verified-commits)\n\n\n### Security policies\n\n\nGitLab's security policies, known as guardrails, enable security and\ncompliance teams to implement consistent controls across their organization,\nhelping prevent security incidents, maintain compliance standards, and\nreduce risk by automatically enforcing security best practices at scale.\n\n\n![Merge request approval policy in\naction](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/merge_request_approval_policy_aHR0cHM6_1750099596925.png)\n\n\n\u003Ccenter>\u003Ci>Merge request approval policy in action\u003C/i>\u003C/center>\u003Cbr>\n\n\nThe following policy types are available:\n\n\n* Scan execution policy: Enforce security scans, either as part of the\npipeline or on a specified schedule  \n\n* Merge request approval policy: Enforce project-level settings and approval\nrules based on scan results  \n\n* Pipeline execution policy: Enforce CI/CD jobs as part of project\npipelines  \n\n* Vulnerability management policy: Automate vulnerability management\nworkflows\n\n\nHere is an example of ensuring compliance with the pipeline execution\npolicy:\n\n\n1. Create a project that houses multiple compliance jobs. An example of a\njob can be to check permissions of files that are deployed. These jobs\nshould be generic enough that they can be applied to multiple applications.\n\n2. Limit the project's permissions to only security/compliance officers;\ndon’t allow developers to remove jobs. This allows for separation of duties.\n\n3. Inject the compliance jobs in batch to the projects where they are\nrequired. Force them to run no matter what, but allow approval from team\nlead to not block development. This will ensure compliance jobs are always\nrun and cannot be removed by developers, and that your environment remains\ncompliant.\n\n\n> ##### Learn how to create security policies with our [security policy\ndocumentation](https://docs.gitlab.com/ee/user/application_security/policies/).\n\n\n### Custom roles and granular permissions\n\n\nCustom permissions in GitLab allow organizations to create fine-grained\naccess controls beyond the standard role-based permissions, providing\nbenefits such as:\n\n\n* more precise access control  \n\n* better security compliance  \n\n* reduced risk of accidental access  \n\n* streamlined user management  \n\n* support for complex organizational structures\n\n\n![GitLab custom\nroles](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/custom_roles_aHR0cHM6_1750099596926.png)\n\n\n\u003Ccenter>\u003Ci>Roles and permissions settings, including custom\nroles\u003C/i>\u003C/center>\n\n\n> ##### Learn how to create custom roles with granular permissions using our\n[custom role\ndocumentation](https://docs.gitlab.com/ee/user/custom_roles.html).\n\n\n### Branch protections and CodeOwners\n\n\nGitLab helps you further control who can change your code using two key\nfeatures:\n\n* Branch Protection, which lets you set rules about who can update specific\nbranches – like requiring approval before merging changes.\n\n* Code Ownership, which automatically finds the right people to review code\nchanges by matching files to their designated owners.\n\n\nTogether, these features help keep your code secure and high-quality by\nmaking sure the right people review and approve changes.\n\n\n![Protected\nbranches](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/protected_branches_aHR0cHM6_1750099596928.png)\n\n\n\u003Ccenter>\u003Ci>Protected branch settings\u003C/i>\u003C/center>\n\n\n> ##### Learn how to create protected branches along with CodeOwners using\n[protected\nbranch](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)\nand [codeowner](https://docs.gitlab.com/ee/user/project/codeowners/)\ndocumentation.\n\n\n### Verified commits\n\n\nWhen you sign your commits digitally, you prove they really came from you,\nnot someone pretending to be you. Think of a digital signature like a unique\nstamp that only you can create. When you upload your public GPG key to\nGitLab, it can check this stamp. If the stamp matches, GitLab marks your\ncommit as `Verified`. You can then set up rules to reject commits that\naren't signed, or block all commits from users who haven't verified their\nidentity.\n\n\n![Commit signed with verified\nsignature](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/signed_commit_aHR0cHM6_1750099596929.png)\n\n\n\u003Ccenter>\u003Ci>Commit signed with verified signature\u003C/i>\u003C/center>\u003Cbr>\n\n\nCommits can be signed with:\n\n\n* SSH key  \n\n* GPG key  \n\n* Personal x.509 certificate\n\n\n> ##### Learn more about verified commits with our [signed commits\ndocumentation](https://docs.gitlab.com/ee/user/project/repository/signed_commits/).\n\n\n## Set up systems for detecting and addressing security incidents\n\n\nSetting up systems for detecting and addressing security incidents is vital\nfor maintaining a robust security posture, ensuring regulatory compliance,\nminimizing potential damages, and enabling organizations to respond\neffectively to the ever-evolving threat landscape.\n\n\nGitLab provides security scanning and vulnerability management for the\ncomplete application lifecycle. I will briefly cover:\n\n\n* [Security scanning and vulnerability\nmanagement](#security-scanning-and-vulnerability-management)  \n\n* [Software bill of materials](#software-bill-of-materials)  \n\n* [System auditing and security posture\nreview](#system-auditing-and-security-posture-review)\n\n* [Compliance and security posture\noversight](#compliance-and-security-posture-oversight)\n\n\n### Security scanning and vulnerability management\n\n\nGitLab provides a variety of different security scanners that cover the\ncomplete lifecycle of your application:\n\n\n* Static Application Security Testing (SAST)  \n\n* Dynamic Application Security Testing (DAST)\n\n* Container Scanning  \n\n* Dependency Scanning  \n\n* Infrastructure as Code (IaC) Scanning  \n\n* Coverage-guided Fuzzing\n\n* Web API Fuzzing\n\n\nThese scanners can be added to your pipeline via the use of templates. For\nexample, to run SAST and dependency scanning jobs in the test stage, simply\nadd the following to your .gitlab-ci.yml:\n\n\n```yaml  \n\nstages:  \n   - test\n\ninclude:  \n  - template: Jobs/Dependency-Scanning.gitlab-ci.yml  \n  - template: Jobs/SAST.gitlab-ci.yml  \n``` \n\n\nThese jobs are fully configurable via environment variables and using GitLab\njob syntax. Once a pipeline kicks off, the security scanners run and detect\nvulnerabilities in the diff between the current branch and the target\nbranch. The vulnerability can be seen in a merge request (MR), providing\ndetailed oversight before the code is merged to the target branch. The MR\nwill provide the following information on a vulnerability:\n\n\n* description  \n\n* status  \n\n* severity  \n\n* evidence  \n\n* identifiers  \n\n* URL (if applicable)  \n\n* request/response (if applicable)  \n\n* reproduction assets (if applicable)  \n\n* training (if applicable)  \n\n* code flow (if using advanced SAST)\n\n\n![MR view of introduced\nvulnerability](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/no_sql_injection_vulnerability_mr_view_aHR0cHM6_1750099596931.png)\n\n\n\u003Ccenter>\u003Ci>MR view of introduced vulnerability\u003C/i>\u003C/center>\u003Cbr>\n\n\nDevelopers can use this data to remediate vulnerabilities without slowing\ndown security team workflows. Developers can dismiss a vulnerability with\nreasoning, speeding up the review process, or they can create a confidential\nissue to track the vulnerability.\n\n\nIf the code in an MR is merged to the default (usually production-level)\nbranch, then the vulnerability report is populated with the security scanner\nresults. These results can be used by security teams to manage and triage\nthe vulnerabilities found in production.\n\n\n![Vulnerability report with Batch Status\nsetting](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/vulnerability_report_aHR0cHM6_1750099596936.png)\n\n\n\u003Ccenter>\u003Ci>Vulnerability report with Batch Status setting\u003C/i>\u003C/center>\u003Cbr>\n\n\nWhen clicking on a vulnerability description within the vulnerability\nreport, you are provided with the vulnerability page, which contains the\nsame vulnerability data as the MR, allowing for a single source of truth\nwhen assessing impact and performing remediation. From the vulnerability\npage, [GitLab Duo](https://about.gitlab.com/gitlab-duo/) AI features can be\nused to explain the vulnerability and also create an MR to remediate,\nspeeding up resolution time.\n\n\n> ##### Learn more about the security scanners included with GitLab and how\nto manage vulnerabilities in our [application security\ndocumentation](https://docs.gitlab.com/ee/user/application_security/).\n\n\n### Software bill of materials\n\n\nGitLab can create a detailed list of everything your software uses – kind of\nlike an ingredients list for your code. This list, called a software bill of\nmaterials\n([SBOM](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/)),\nshows you all the external code your project depends on, including the parts\nyou directly use and their own dependencies. For each item, you can see\nwhich version you're using, what license it has, and whether it has any\nknown security problems. This helps you keep track of what's in your\nsoftware and spot potential risks.\n\n\n![Group-level dependency list\n(SBOM)](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/sbom_aHR0cHM6_1750099596937.png)\n\n\n\u003Ccenter>\u003Ci>Group-level dependency list (SBOM)\u003C/i>\u003C/center>\n\n\n> ##### Learn how to access and use the dependency list with our [dependency\nlist\ndocumentation](https://docs.gitlab.com/ee/user/application_security/dependency_list/).\n\n\n### System auditing and security posture review\n\n\nGitLab keeps track of everything that happens in your system such as who\nmade changes, what they changed, and when they did it. Think of it like a\nsecurity camera for your code. This record helps you:\n\n\n* spot any suspicious activity  \n\n* show regulators you're following the rules  \n\n* figure out what happened if something goes wrong  \n\n* see how people are using GitLab\n\n\nAll of this information is stored in one place, making it easy to review and\ninvestigate when needed. For example, you can use audit events to track:\n\n\n* who changed the permission level of a particular user for a GitLab\nproject, and when  \n\n* who added a new user or removed a user, and when\n\n\n![Project-level audit\nevents](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/audit_events_aHR0cHM6_1750099596938.png)\n\n\n\u003Ccenter>\u003Ci>Project-level audit events\u003C/i>\u003C/center>\n\n\n> ##### Learn more about audit events, see the [audit events\ndocumentation](https://docs.gitlab.com/ee/user/compliance/audit_events.html).\n\n\n## Compliance and security posture oversight\n\n\nGitLab's Security Dashboard works like a control room that shows you all\nyour security risks in one place. Instead of checking different security\ntools separately, you can see all their findings together on one screen.\nThis makes it easy to spot and fix security problems across all your\nprojects.\n\n\n![Group-level Security\nDashboard](https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099597/Blog/Content%20Images/Blog/Content%20Images/security_dashboard_aHR0cHM6_1750099596939.png)\n\n\u003Ccenter>\u003Ci>Group-level security dashboard\u003C/i>\u003C/center>\n\n\n> ##### Learn more about security dashboards with our [security dashboard\ndocumentation](https://docs.gitlab.com/ee/user/application_security/security_dashboard/).\n\n\n## Establish procedures for identifying and mitigating risks\n\n\nVulnerabilities go through a specific lifecycle. For example, a part of the\nprocedure can be to require approval for any vulnerable code to be merged to\nprotected branches using security policies. Then the procedure can state\nthat vulnerable code detected in production must be prioritized, assessed,\nremediated, and then validated: \n\n\n* The criteria for prioritization can be by the severity of the\nvulnerability provided by GitLab scanners.  \n\n* The assessment can be done using exploitation details provided by the AI:\nVulnerability Explanation.  \n\n* Once the vulnerability is remediated, then it can be validated using\nbuilt-in GitLab regression tests and scanners.\n\n\nWhile every organization's needs are different, leveraging GitLab as a\nplatform, risks can be quickly identified and addressed with reduced risk\nwhen compared to using a sprawl of disparate tools.\n\n\n### Best practices for SOC 2 compliance\n\n\n* Establish a strong security culture: Foster a culture of security\nawareness and accountability throughout your organization.  \n\n* Document everything: Maintain thorough documentation of policies,\nprocedures, and controls.  \n\n* Automate where possible: Use automation tools to streamline compliance\nprocesses and reduce errors.  \n\n* Communicate effectively: Keep stakeholders informed about your compliance\nefforts.  \n\n* Seek expert guidance: Consider partnering with a qualified consultant to\nassist with your SOC 2 journey.\n\n\nAchieving SOC 2 compliance is a significant undertaking, but the benefits\nare undeniable. By demonstrating your commitment to application security and\noperational excellence, you can build trust with customers, enhance your\nreputation, and gain a competitive edge in the marketplace.\n\n\n## Read more\n\n\nTo learn more about GitLab and how we can help achieve SOCv2 compliance\nwhile enhancing your security posture, check out the following resources:\n\n\n* [GitLab Ultimate](https://about.gitlab.com/pricing/ultimate/)  \n\n* [GitLab Security and Compliance\nSolutions](https://about.gitlab.com/solutions/security-compliance/)  \n\n* [GitLab Application Security\nDocumentation](https://docs.gitlab.com/ee/user/application_security/)  \n\n* [GitLab DevSecOps Tutorial\nProject](https://gitlab.com/gitlab-da/tutorials/security-and-governance/devsecops/simply-vulnerable-notes)\n","security",[23,21,24,25,26],"tutorial","DevSecOps platform","features","product",{"slug":28,"featured":29,"template":30},"guide-to-fulfilling-soc-2-security-requirements-with-gitlab",true,"BlogPost","content:en-us:blog:guide-to-fulfilling-soc-2-security-requirements-with-gitlab.yml","yaml","Guide To Fulfilling Soc 2 Security Requirements With Gitlab","content","en-us/blog/guide-to-fulfilling-soc-2-security-requirements-with-gitlab.yml","en-us/blog/guide-to-fulfilling-soc-2-security-requirements-with-gitlab","yml",{"_path":39,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"data":41,"_id":462,"_type":32,"title":463,"_source":34,"_file":464,"_stem":465,"_extension":37},"/shared/en-us/main-navigation","en-us",{"logo":42,"freeTrial":47,"sales":52,"login":57,"items":62,"search":393,"minimal":424,"duo":443,"pricingDeployment":452},{"config":43},{"href":44,"dataGaName":45,"dataGaLocation":46},"/","gitlab logo","header",{"text":48,"config":49},"Get free trial",{"href":50,"dataGaName":51,"dataGaLocation":46},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":53,"config":54},"Talk to sales",{"href":55,"dataGaName":56,"dataGaLocation":46},"/sales/","sales",{"text":58,"config":59},"Sign in",{"href":60,"dataGaName":61,"dataGaLocation":46},"https://gitlab.com/users/sign_in/","sign in",[63,107,204,209,314,374],{"text":64,"config":65,"cards":67,"footer":90},"Platform",{"dataNavLevelOne":66},"platform",[68,74,82],{"title":64,"description":69,"link":70},"The most comprehensive AI-powered DevSecOps Platform",{"text":71,"config":72},"Explore our Platform",{"href":73,"dataGaName":66,"dataGaLocation":46},"/platform/",{"title":75,"description":76,"link":77},"GitLab Duo (AI)","Build software faster with AI at every stage of development",{"text":78,"config":79},"Meet GitLab Duo",{"href":80,"dataGaName":81,"dataGaLocation":46},"/gitlab-duo/","gitlab duo ai",{"title":83,"description":84,"link":85},"Why GitLab","10 reasons why Enterprises choose GitLab",{"text":86,"config":87},"Learn more",{"href":88,"dataGaName":89,"dataGaLocation":46},"/why-gitlab/","why gitlab",{"title":91,"items":92},"Get started with",[93,98,103],{"text":94,"config":95},"Platform Engineering",{"href":96,"dataGaName":97,"dataGaLocation":46},"/solutions/platform-engineering/","platform engineering",{"text":99,"config":100},"Developer Experience",{"href":101,"dataGaName":102,"dataGaLocation":46},"/developer-experience/","Developer experience",{"text":104,"config":105},"MLOps",{"href":106,"dataGaName":104,"dataGaLocation":46},"/topics/devops/the-role-of-ai-in-devops/",{"text":108,"left":29,"config":109,"link":111,"lists":115,"footer":186},"Product",{"dataNavLevelOne":110},"solutions",{"text":112,"config":113},"View all Solutions",{"href":114,"dataGaName":110,"dataGaLocation":46},"/solutions/",[116,141,165],{"title":117,"description":118,"link":119,"items":124},"Automation","CI/CD and automation to accelerate deployment",{"config":120},{"icon":121,"href":122,"dataGaName":123,"dataGaLocation":46},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[125,129,133,137],{"text":126,"config":127},"CI/CD",{"href":128,"dataGaLocation":46,"dataGaName":126},"/solutions/continuous-integration/",{"text":130,"config":131},"AI-Assisted Development",{"href":80,"dataGaLocation":46,"dataGaName":132},"AI assisted development",{"text":134,"config":135},"Source Code Management",{"href":136,"dataGaLocation":46,"dataGaName":134},"/solutions/source-code-management/",{"text":138,"config":139},"Automated Software Delivery",{"href":122,"dataGaLocation":46,"dataGaName":140},"Automated software delivery",{"title":142,"description":143,"link":144,"items":149},"Security","Deliver code faster without compromising security",{"config":145},{"href":146,"dataGaName":147,"dataGaLocation":46,"icon":148},"/solutions/security-compliance/","security and compliance","ShieldCheckLight",[150,155,160],{"text":151,"config":152},"Application Security Testing",{"href":153,"dataGaName":154,"dataGaLocation":46},"/solutions/application-security-testing/","Application security testing",{"text":156,"config":157},"Software Supply Chain Security",{"href":158,"dataGaLocation":46,"dataGaName":159},"/solutions/supply-chain/","Software supply chain security",{"text":161,"config":162},"Software Compliance",{"href":163,"dataGaName":164,"dataGaLocation":46},"/solutions/software-compliance/","software compliance",{"title":166,"link":167,"items":172},"Measurement",{"config":168},{"icon":169,"href":170,"dataGaName":171,"dataGaLocation":46},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[173,177,181],{"text":174,"config":175},"Visibility & Measurement",{"href":170,"dataGaLocation":46,"dataGaName":176},"Visibility and Measurement",{"text":178,"config":179},"Value Stream Management",{"href":180,"dataGaLocation":46,"dataGaName":178},"/solutions/value-stream-management/",{"text":182,"config":183},"Analytics & Insights",{"href":184,"dataGaLocation":46,"dataGaName":185},"/solutions/analytics-and-insights/","Analytics and insights",{"title":187,"items":188},"GitLab for",[189,194,199],{"text":190,"config":191},"Enterprise",{"href":192,"dataGaLocation":46,"dataGaName":193},"/enterprise/","enterprise",{"text":195,"config":196},"Small Business",{"href":197,"dataGaLocation":46,"dataGaName":198},"/small-business/","small business",{"text":200,"config":201},"Public Sector",{"href":202,"dataGaLocation":46,"dataGaName":203},"/solutions/public-sector/","public sector",{"text":205,"config":206},"Pricing",{"href":207,"dataGaName":208,"dataGaLocation":46,"dataNavLevelOne":208},"/pricing/","pricing",{"text":210,"config":211,"link":213,"lists":217,"feature":301},"Resources",{"dataNavLevelOne":212},"resources",{"text":214,"config":215},"View all resources",{"href":216,"dataGaName":212,"dataGaLocation":46},"/resources/",[218,251,273],{"title":219,"items":220},"Getting started",[221,226,231,236,241,246],{"text":222,"config":223},"Install",{"href":224,"dataGaName":225,"dataGaLocation":46},"/install/","install",{"text":227,"config":228},"Quick start guides",{"href":229,"dataGaName":230,"dataGaLocation":46},"/get-started/","quick setup checklists",{"text":232,"config":233},"Learn",{"href":234,"dataGaLocation":46,"dataGaName":235},"https://university.gitlab.com/","learn",{"text":237,"config":238},"Product documentation",{"href":239,"dataGaName":240,"dataGaLocation":46},"https://docs.gitlab.com/","product documentation",{"text":242,"config":243},"Best practice videos",{"href":244,"dataGaName":245,"dataGaLocation":46},"/getting-started-videos/","best practice videos",{"text":247,"config":248},"Integrations",{"href":249,"dataGaName":250,"dataGaLocation":46},"/integrations/","integrations",{"title":252,"items":253},"Discover",[254,259,263,268],{"text":255,"config":256},"Customer success stories",{"href":257,"dataGaName":258,"dataGaLocation":46},"/customers/","customer success stories",{"text":260,"config":261},"Blog",{"href":262,"dataGaName":5,"dataGaLocation":46},"/blog/",{"text":264,"config":265},"Remote",{"href":266,"dataGaName":267,"dataGaLocation":46},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":269,"config":270},"TeamOps",{"href":271,"dataGaName":272,"dataGaLocation":46},"/teamops/","teamops",{"title":274,"items":275},"Connect",[276,281,286,291,296],{"text":277,"config":278},"GitLab Services",{"href":279,"dataGaName":280,"dataGaLocation":46},"/services/","services",{"text":282,"config":283},"Community",{"href":284,"dataGaName":285,"dataGaLocation":46},"/community/","community",{"text":287,"config":288},"Forum",{"href":289,"dataGaName":290,"dataGaLocation":46},"https://forum.gitlab.com/","forum",{"text":292,"config":293},"Events",{"href":294,"dataGaName":295,"dataGaLocation":46},"/events/","events",{"text":297,"config":298},"Partners",{"href":299,"dataGaName":300,"dataGaLocation":46},"/partners/","partners",{"backgroundColor":302,"textColor":303,"text":304,"image":305,"link":309},"#2f2a6b","#fff","Insights for the future of software development",{"altText":306,"config":307},"the source promo card",{"src":308},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":310,"config":311},"Read the latest",{"href":312,"dataGaName":313,"dataGaLocation":46},"/the-source/","the source",{"text":315,"config":316,"lists":318},"Company",{"dataNavLevelOne":317},"company",[319],{"items":320},[321,326,332,334,339,344,349,354,359,364,369],{"text":322,"config":323},"About",{"href":324,"dataGaName":325,"dataGaLocation":46},"/company/","about",{"text":327,"config":328,"footerGa":331},"Jobs",{"href":329,"dataGaName":330,"dataGaLocation":46},"/jobs/","jobs",{"dataGaName":330},{"text":292,"config":333},{"href":294,"dataGaName":295,"dataGaLocation":46},{"text":335,"config":336},"Leadership",{"href":337,"dataGaName":338,"dataGaLocation":46},"/company/team/e-group/","leadership",{"text":340,"config":341},"Team",{"href":342,"dataGaName":343,"dataGaLocation":46},"/company/team/","team",{"text":345,"config":346},"Handbook",{"href":347,"dataGaName":348,"dataGaLocation":46},"https://handbook.gitlab.com/","handbook",{"text":350,"config":351},"Investor relations",{"href":352,"dataGaName":353,"dataGaLocation":46},"https://ir.gitlab.com/","investor relations",{"text":355,"config":356},"Trust Center",{"href":357,"dataGaName":358,"dataGaLocation":46},"/security/","trust center",{"text":360,"config":361},"AI Transparency Center",{"href":362,"dataGaName":363,"dataGaLocation":46},"/ai-transparency-center/","ai transparency center",{"text":365,"config":366},"Newsletter",{"href":367,"dataGaName":368,"dataGaLocation":46},"/company/contact/","newsletter",{"text":370,"config":371},"Press",{"href":372,"dataGaName":373,"dataGaLocation":46},"/press/","press",{"text":375,"config":376,"lists":377},"Contact us",{"dataNavLevelOne":317},[378],{"items":379},[380,383,388],{"text":53,"config":381},{"href":55,"dataGaName":382,"dataGaLocation":46},"talk to sales",{"text":384,"config":385},"Get help",{"href":386,"dataGaName":387,"dataGaLocation":46},"/support/","get help",{"text":389,"config":390},"Customer portal",{"href":391,"dataGaName":392,"dataGaLocation":46},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":394,"login":395,"suggestions":402},"Close",{"text":396,"link":397},"To search repositories and projects, login to",{"text":398,"config":399},"gitlab.com",{"href":60,"dataGaName":400,"dataGaLocation":401},"search login","search",{"text":403,"default":404},"Suggestions",[405,407,411,413,417,421],{"text":75,"config":406},{"href":80,"dataGaName":75,"dataGaLocation":401},{"text":408,"config":409},"Code Suggestions (AI)",{"href":410,"dataGaName":408,"dataGaLocation":401},"/solutions/code-suggestions/",{"text":126,"config":412},{"href":128,"dataGaName":126,"dataGaLocation":401},{"text":414,"config":415},"GitLab on AWS",{"href":416,"dataGaName":414,"dataGaLocation":401},"/partners/technology-partners/aws/",{"text":418,"config":419},"GitLab on Google Cloud",{"href":420,"dataGaName":418,"dataGaLocation":401},"/partners/technology-partners/google-cloud-platform/",{"text":422,"config":423},"Why GitLab?",{"href":88,"dataGaName":422,"dataGaLocation":401},{"freeTrial":425,"mobileIcon":430,"desktopIcon":435,"secondaryButton":438},{"text":426,"config":427},"Start free trial",{"href":428,"dataGaName":51,"dataGaLocation":429},"https://gitlab.com/-/trials/new/","nav",{"altText":431,"config":432},"Gitlab Icon",{"src":433,"dataGaName":434,"dataGaLocation":429},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":431,"config":436},{"src":437,"dataGaName":434,"dataGaLocation":429},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":439,"config":440},"Get Started",{"href":441,"dataGaName":442,"dataGaLocation":429},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":444,"mobileIcon":448,"desktopIcon":450},{"text":445,"config":446},"Learn more about GitLab Duo",{"href":80,"dataGaName":447,"dataGaLocation":429},"gitlab duo",{"altText":431,"config":449},{"src":433,"dataGaName":434,"dataGaLocation":429},{"altText":431,"config":451},{"src":437,"dataGaName":434,"dataGaLocation":429},{"freeTrial":453,"mobileIcon":458,"desktopIcon":460},{"text":454,"config":455},"Back to pricing",{"href":207,"dataGaName":456,"dataGaLocation":429,"icon":457},"back to pricing","GoBack",{"altText":431,"config":459},{"src":433,"dataGaName":434,"dataGaLocation":429},{"altText":431,"config":461},{"src":437,"dataGaName":434,"dataGaLocation":429},"content:shared:en-us:main-navigation.yml","Main Navigation","shared/en-us/main-navigation.yml","shared/en-us/main-navigation",{"_path":467,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"title":468,"button":469,"image":474,"config":478,"_id":480,"_type":32,"_source":34,"_file":481,"_stem":482,"_extension":37},"/shared/en-us/banner","is now in public beta!",{"text":470,"config":471},"Try the Beta",{"href":472,"dataGaName":473,"dataGaLocation":46},"/gitlab-duo/agent-platform/","duo banner",{"altText":475,"config":476},"GitLab Duo Agent Platform",{"src":477},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1753720689/somrf9zaunk0xlt7ne4x.svg",{"layout":479},"release","content:shared:en-us:banner.yml","shared/en-us/banner.yml","shared/en-us/banner",{"_path":484,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"data":485,"_id":688,"_type":32,"title":689,"_source":34,"_file":690,"_stem":691,"_extension":37},"/shared/en-us/main-footer",{"text":486,"source":487,"edit":493,"contribute":498,"config":503,"items":508,"minimal":680},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":488,"config":489},"View page source",{"href":490,"dataGaName":491,"dataGaLocation":492},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":494,"config":495},"Edit this page",{"href":496,"dataGaName":497,"dataGaLocation":492},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":499,"config":500},"Please contribute",{"href":501,"dataGaName":502,"dataGaLocation":492},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":504,"facebook":505,"youtube":506,"linkedin":507},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[509,531,587,616,650],{"title":64,"links":510,"subMenu":514},[511],{"text":24,"config":512},{"href":73,"dataGaName":513,"dataGaLocation":492},"devsecops platform",[515],{"title":205,"links":516},[517,521,526],{"text":518,"config":519},"View plans",{"href":207,"dataGaName":520,"dataGaLocation":492},"view plans",{"text":522,"config":523},"Why Premium?",{"href":524,"dataGaName":525,"dataGaLocation":492},"/pricing/premium/","why premium",{"text":527,"config":528},"Why Ultimate?",{"href":529,"dataGaName":530,"dataGaLocation":492},"/pricing/ultimate/","why ultimate",{"title":532,"links":533},"Solutions",[534,539,541,543,548,553,557,560,564,569,571,574,577,582],{"text":535,"config":536},"Digital transformation",{"href":537,"dataGaName":538,"dataGaLocation":492},"/topics/digital-transformation/","digital transformation",{"text":151,"config":540},{"href":153,"dataGaName":151,"dataGaLocation":492},{"text":140,"config":542},{"href":122,"dataGaName":123,"dataGaLocation":492},{"text":544,"config":545},"Agile development",{"href":546,"dataGaName":547,"dataGaLocation":492},"/solutions/agile-delivery/","agile delivery",{"text":549,"config":550},"Cloud transformation",{"href":551,"dataGaName":552,"dataGaLocation":492},"/topics/cloud-native/","cloud transformation",{"text":554,"config":555},"SCM",{"href":136,"dataGaName":556,"dataGaLocation":492},"source code management",{"text":126,"config":558},{"href":128,"dataGaName":559,"dataGaLocation":492},"continuous integration & delivery",{"text":561,"config":562},"Value stream management",{"href":180,"dataGaName":563,"dataGaLocation":492},"value stream management",{"text":565,"config":566},"GitOps",{"href":567,"dataGaName":568,"dataGaLocation":492},"/solutions/gitops/","gitops",{"text":190,"config":570},{"href":192,"dataGaName":193,"dataGaLocation":492},{"text":572,"config":573},"Small business",{"href":197,"dataGaName":198,"dataGaLocation":492},{"text":575,"config":576},"Public sector",{"href":202,"dataGaName":203,"dataGaLocation":492},{"text":578,"config":579},"Education",{"href":580,"dataGaName":581,"dataGaLocation":492},"/solutions/education/","education",{"text":583,"config":584},"Financial services",{"href":585,"dataGaName":586,"dataGaLocation":492},"/solutions/finance/","financial services",{"title":210,"links":588},[589,591,593,595,598,600,602,604,606,608,610,612,614],{"text":222,"config":590},{"href":224,"dataGaName":225,"dataGaLocation":492},{"text":227,"config":592},{"href":229,"dataGaName":230,"dataGaLocation":492},{"text":232,"config":594},{"href":234,"dataGaName":235,"dataGaLocation":492},{"text":237,"config":596},{"href":239,"dataGaName":597,"dataGaLocation":492},"docs",{"text":260,"config":599},{"href":262,"dataGaName":5,"dataGaLocation":492},{"text":255,"config":601},{"href":257,"dataGaName":258,"dataGaLocation":492},{"text":264,"config":603},{"href":266,"dataGaName":267,"dataGaLocation":492},{"text":277,"config":605},{"href":279,"dataGaName":280,"dataGaLocation":492},{"text":269,"config":607},{"href":271,"dataGaName":272,"dataGaLocation":492},{"text":282,"config":609},{"href":284,"dataGaName":285,"dataGaLocation":492},{"text":287,"config":611},{"href":289,"dataGaName":290,"dataGaLocation":492},{"text":292,"config":613},{"href":294,"dataGaName":295,"dataGaLocation":492},{"text":297,"config":615},{"href":299,"dataGaName":300,"dataGaLocation":492},{"title":315,"links":617},[618,620,622,624,626,628,630,634,639,641,643,645],{"text":322,"config":619},{"href":324,"dataGaName":317,"dataGaLocation":492},{"text":327,"config":621},{"href":329,"dataGaName":330,"dataGaLocation":492},{"text":335,"config":623},{"href":337,"dataGaName":338,"dataGaLocation":492},{"text":340,"config":625},{"href":342,"dataGaName":343,"dataGaLocation":492},{"text":345,"config":627},{"href":347,"dataGaName":348,"dataGaLocation":492},{"text":350,"config":629},{"href":352,"dataGaName":353,"dataGaLocation":492},{"text":631,"config":632},"Sustainability",{"href":633,"dataGaName":631,"dataGaLocation":492},"/sustainability/",{"text":635,"config":636},"Diversity, inclusion and belonging (DIB)",{"href":637,"dataGaName":638,"dataGaLocation":492},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":355,"config":640},{"href":357,"dataGaName":358,"dataGaLocation":492},{"text":365,"config":642},{"href":367,"dataGaName":368,"dataGaLocation":492},{"text":370,"config":644},{"href":372,"dataGaName":373,"dataGaLocation":492},{"text":646,"config":647},"Modern Slavery Transparency Statement",{"href":648,"dataGaName":649,"dataGaLocation":492},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":651,"links":652},"Contact Us",[653,656,658,660,665,670,675],{"text":654,"config":655},"Contact an expert",{"href":55,"dataGaName":56,"dataGaLocation":492},{"text":384,"config":657},{"href":386,"dataGaName":387,"dataGaLocation":492},{"text":389,"config":659},{"href":391,"dataGaName":392,"dataGaLocation":492},{"text":661,"config":662},"Status",{"href":663,"dataGaName":664,"dataGaLocation":492},"https://status.gitlab.com/","status",{"text":666,"config":667},"Terms of use",{"href":668,"dataGaName":669,"dataGaLocation":492},"/terms/","terms of use",{"text":671,"config":672},"Privacy statement",{"href":673,"dataGaName":674,"dataGaLocation":492},"/privacy/","privacy statement",{"text":676,"config":677},"Cookie preferences",{"dataGaName":678,"dataGaLocation":492,"id":679,"isOneTrustButton":29},"cookie preferences","ot-sdk-btn",{"items":681},[682,684,686],{"text":666,"config":683},{"href":668,"dataGaName":669,"dataGaLocation":492},{"text":671,"config":685},{"href":673,"dataGaName":674,"dataGaLocation":492},{"text":676,"config":687},{"dataGaName":678,"dataGaLocation":492,"id":679,"isOneTrustButton":29},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",[693],{"_path":694,"_dir":695,"_draft":6,"_partial":6,"_locale":7,"content":696,"config":700,"_id":702,"_type":32,"title":18,"_source":34,"_file":703,"_stem":704,"_extension":37},"/en-us/blog/authors/fernando-diaz","authors",{"name":18,"config":697},{"headshot":698,"ctfId":699},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659556/Blog/Author%20Headshots/fern_diaz.png","fjdiaz",{"template":701},"BlogAuthor","content:en-us:blog:authors:fernando-diaz.yml","en-us/blog/authors/fernando-diaz.yml","en-us/blog/authors/fernando-diaz",{"_path":706,"_dir":40,"_draft":6,"_partial":6,"_locale":7,"header":707,"eyebrow":708,"blurb":709,"button":710,"secondaryButton":714,"_id":716,"_type":32,"title":717,"_source":34,"_file":718,"_stem":719,"_extension":37},"/shared/en-us/next-steps","Start shipping better software faster","50%+ of the Fortune 100 trust GitLab","See what your team can do with the intelligent\n\n\nDevSecOps platform.\n",{"text":48,"config":711},{"href":712,"dataGaName":51,"dataGaLocation":713},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":53,"config":715},{"href":55,"dataGaName":56,"dataGaLocation":713},"content:shared:en-us:next-steps.yml","Next Steps","shared/en-us/next-steps.yml","shared/en-us/next-steps",1758326264004]